The cyber “hacktivist” group Anonymous allegedly disclosed Christmas that it broke into the Web site of a Texas-based security consulting firm. Furthermore, the group apparently has threatened to wreak more havoc on a lengthy list of targets over the coming week.
The breach, detailed in an article in The Wall Street Journal, involved stealing credit card data and other information from Stratfor, a security consulting and risk analysis firm based in Austin, Texas. Various messages on the Twitter microblogging service sent by account names linked to the Anonymous organization claim that the group has stolen more than 200 gigabytes of data from the firm. That includes confidential client lists, email addressses, and credit card numbers, which it is using to make donations to charities. Stratfor’s vulnerabilty was in failing to encrypt the information it was storing on its servers, a fact that the alleged attackers deride in their Tweets.
Stratfor has acknowledged that it believes it has been attacked, in part by taking its Web site offline with a message saying that it is “undergoing maintenance.”
Moreoever, some of the victims of the attack — individuals whose names and personal information were within the Stratfor database — have reported unauthorized credit card activity.
An email sent to Stratfor subscribers and passed on to the Associated Press noted: “We have reason to believe that the names of our corporate subscribers have been posted on other Web sites. We are diligently investigating the extent to which subscriber information may have been obtained.” The email was signed by Stratfor CEO George Friedman.
The incident underscores once again the need for companies of all sizes to get a better handle on how they protect data offered up not just on their Web sites, but also within their internal networks.
That is because even as high-profile attacks such as the one on Stratfor tend to make headlines, research has shown that most of the targeted attacks perpetrated by groups such as Anonymous are against smaller companies. Research from Symantec, for example, suggests that 40 percent of these attacks are on organizations with fewer than 500 employees, compared with 28 percent launched against much larger businesses.
As it turns out, additional information and statements have emerged suggesting that Anonymous may not have actually been responsible for the attack. But does it really matter who or what was specially responsible for this particular attack?
There are plenty of attackers and victims to choose from. The Washington Post reported in mid-December that more than 760 companies — many of them in the United States — have been the subject of attacks from just one “elite” Chinese group over the past 10 years. One company highlighted on that list was iBahn, a small company that provides Internet services to hospitality companies.
Do You Protect Your Clients?
If a company that specializes in security policies can be surprised by an attack of this nature, what sort of damage could it do to your company’s confidential client information?
Many small-business owners tend to assume they are invulnerable to cybersecurity breaches, if for no other reason than the fact their business is small enough to escape notice. That sort of assumption is an increasingly dangerous one. In the case of iBahn, for example, the attackers were apparently interested in the activities of its clients, not in the company itself. Even if your company thinks it is too small to be worth the trouble, that may not be true of your clients. Do they deserve to suffer for your negligence?